Running on nginx with InvoiceNinja being the only virtual web site on this host, I have set REQUIRE_HTTPS=true and turned Client Portal off. If I go to https://invoice.example.com/client/ I rightfully get a “section turned off by admin”. If I instead go to https://192.168.10.10/client/ (where 193.168.10.10 is a placeholder for my real IP) I get a certificate warning, and after adding an exception I get to the client portal login page.
While I’m at it: Opening https://192.168.10.10/ gets me to the admin console. If I log in this way I end up in the admin console, I see my company in the company selector in the top left corner, but without the logo and I also don’t see the logo in Settings → Company Details → Logo. Seems like the logo is somehow tied to the URL. (If I log in the regular way via the hostname, the logo is still there.)
Granted, the IP-address-trick working means there is potential for improving the web servers config, but hey …
My DNS service provides protection of my direct IP address automatically, so I cannot test this myself, but can you add to your NGINX conf file these lines, where invoice.example.com is your domain name:
if ($host != "invoice.example.com") {
return 301 https://invoice.example.com;
}
If you add this line anywhere in the NGINX server block listening on 443, it should force redirect any attempted connections into using the specified domain for access, regardless of what addressing they used before.
Note that you must reset NGINX service after the change to the conf file with
systemctl restart nginx
If you can please verify that it does work. I assume it will, and I’ve added it to my notes now.
Hmm, I don’t want to be the wise guy, but if I set a switch “client portal off” I’d consider it a bug if an attacker can circumvent this setting by simple URL manipulation.
You would be correct if Invoice Ninja was a single company service, however with Invoice Ninja , you can have ten companies under the one account. And we utilize the URL to assertain whether the client portal is on or off for the given company.
Hence if you server configuration allows access outside the bounds of the application, there isn’t much the application can do.